add client config and dockerfile

MichaelViveros · Jul 24, 2019 · ee2e60e · ee2e60e
1 parent d509328
commit ee2e60e
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,9 @@
+FROM nginx:1.17.1
+
+EXPOSE 443
+
+COPY default.conf /etc/nginx/conf.d/
+
+ENV VERIFY_DEPTH 1
+ENV ALLOWED_CLIENT_S_DN 'CN=dunder-mifflin.com,O=Dunder Mifflin Inc,L=Scranton,ST=Pennsylvania,C=US'
+CMD envsubst '${VERIFY_DEPTH} ${ALLOWED_CLIENT_S_DN}' < /etc/nginx/conf.d/default.conf > /etc/nginx/conf.d/default.conf && exec nginx -g 'daemon off;'
diff --git a/README.md b/README.md
@@ -1,2 +1,31 @@
-# nginx-mutual-tls
-Docker image for NGINX server configured with Mutual TLS (server authentication AND client authentication)
+# NGINX Mutual TLS
+
+This image contains an NGINX server configured with Mutual TLS which will allow your server to do client authentication in addition to server authentication.
+
+[![Docker Pulls](https://img.shields.io/docker/pulls/mviveros/nginx-mutual-tls.svg)](https://hub.docker.com/r/mviveros/nginx-mutual-tls/)
+
+
+## Setup
+1. Put your certs in `./certs/`:
+* `server.crt` and `server.key` - server certificate and key used for server authentication
+* `ca.crt` - trusted root CA your server will allow client certificates signed by
+2. Set the environment variables:
+* `ALLOWED_CLIENT_S_DN` - allowed client certificate subject domain name, client certificates from other domains will result in a `403`
+* `VERIFY_DEPTH` (optional) - maximum client certificate verify depth, defaults to `1` which will allow client certificates signed by one intermediate CA, set to `0` to only allow client certificates signed by the trusted root CA
+3. Run it:
+```
+docker run -p 443:443 --env ALLOWED_CLIENT_S_DN='CN=webhooks.pagerduty.com,O=PagerDuty Inc,L=San Francisco,ST=California,C=US' -v `pwd`/certs/:/etc/nginx/conf.d/certs mviveros/nginx-mutual-tls
+```
+
+## Test
+Assuming you have client certs in `client.crt`/`client.key` and `ca_server.crt` contains the CA your server certificate is signed by, you can test it with:
+```
+curl -v --cert client.crt --key client.key --cacert ca_server.crt https://localhost:443
+```
+
+## Links
+* To see which specific configs were used to setup client authentication, check out commit [3d8b6cd](https://github.com/MichaelViveros/apache-mutual-tls/commit/3d8b6cd77cc04a1e4ad4807039cb991af1aa04bc)
+* Docs - https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#accesscontrol
+
+## Coming Soon
+* support for adding a proxy header for client subject domain name
diff --git a/default.conf b/default.conf
@@ -2,13 +2,20 @@ server {
     listen       443 ssl;
     server_name  localhost;
 
-    ssl_certificate /etc/nginx/conf.d/server.crt;
-    ssl_certificate_key /etc/nginx/conf.d/server.key;
+    ssl_certificate /etc/nginx/conf.d/certs/server.crt;
+    ssl_certificate_key /etc/nginx/conf.d/certs/server.key;
+
+    ssl_client_certificate /etc/nginx/conf.d/certs/ca.crt;
+    ssl_verify_depth ${VERIFY_DEPTH};
+    ssl_verify_client on;
 
     #charset koi8-r;
     #access_log  /var/log/nginx/host.access.log  main;
 
     location / {
+        if ($ssl_client_s_dn != "${ALLOWED_CLIENT_S_DN}") {
+            return 403;
+        }
         root   /usr/share/nginx/html;
         index  index.html index.htm;
     }